If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: Script for sniffing traffic.

Thanks for the continued updates. I haven't had a chance to run it again yet, but am poking through the code. Couple of things:

1. The add_target function doesn't seem to use the target IP in the title. This is done now in the initially created arpspoof commands, just not the ones from the add_target call.

2. I couldn't get the demo video to play. May have just been me. I'll try it again later. I hit the "Demo Video" button and it poped up the viewer, but it just never started. The progress bar kept spinning.

3. In the loop parse, I still don't have any great ideas. It may be better to have a button to request refresh rather than auto refreshing every 5 seconds. At least this way you'd have the chance to scroll through or copy paste if needed. Of course if you can figure out a way to request a pause while it auto refreshes that would be even better. What about if you wrote to a file and then ran the tail command to continually monitor that file for new data and display the tail output in the window: "tail -f filename"

Re: Script for sniffing traffic.

Thanks for the continued updates. I haven't had a chance to run it again yet, but am poking through the code. Couple of things:

1. The add_target function doesn't seem to use the target IP in the title. This is done now in the initially created arpspoof commands, just not the ones from the add_target call.

2. I couldn't get the demo video to play. May have just been me. I'll try it again later. I hit the "Demo Video" button and it poped up the viewer, but it just never started. The progress bar kept spinning.

3. [looping, parsing, tailing stuff]

1. DONE
2. Works for me ! Maybe a codec problem ? Try again (also might take some time to load, even if the vid is only 2Mo...)
3. cf end of post.

Originally Posted by portos

Hi all!
That's I see in the file yamas.pass.txt - but... And where are passwords!? Thanks!

Re: Script for sniffing traffic.

Re: Script for sniffing traffic.

I like what you did with the realtime password detection. I have that as a todo in easy-creds. I am just wondering if things don't get missed with so many "custom" values for usernames & passwords. Seems like that egrep line of code would just continue to grow.

It might make sense to have a defs file and then let your scrip run against that. Just call a script to parse the sslstrip log against a def file every 10 secs or so.

I have noticed as I continue to use the script I find values that are not currently caught by the defs file in easy-creds and add them as I go.

Great script. With ettercap behaving badly in BT5 ARP spoof may have to be the way to go. Kind of hard though when you are trying to poison 100 systems or so.

Caught a cred with easy-creds that cain didn't pick up. (port 389 traffic) Was able to crack the corp with it. Always great to have another tool in the bag like this script, thanks for sharing.

Re: Script for sniffing traffic.

Originally Posted by ericmilam

I like what you did with the realtime password detection. I have that as a todo in easy-creds. I am just wondering if things don't get missed with so many "custom" values for usernames & passwords. Seems like that egrep line of code would just continue to grow.

It might make sense to have a defs file and then let your scrip run against that. Just call a script to parse the sslstrip log against a def file every 10 secs or so.

I don't think anything gets missed ; in all my test, i never missed anything, and nobody ever reported about not finding anything, so I believe it's efficient ! The egrep line is not very pretty, for sure but I can't seem to do that in awk... In which case I'd just do a parser.awk script...
Before doing this script, I found yours, and as I posted before (in BT4 forums) I didn't like the definition file thing, for the simple reason it's restricitive, and it requires a second file (btw, why not generating it instead of downloading it as a separate thing ?). I never got to add things to your defs file so I thought "fcuk it, i'll do my own", and that's how I started !

Originally Posted by ericmilam

Great script. With ettercap behaving badly in BT5 ARP spoof may have to be the way to go. Kind of hard though when you are trying to poison 100 systems or so.

Thanks ! I'll trust you about attacking a 100 systems with arpspoof, since I never got to do more than about a ten at a time !

Originally Posted by ericmilam

Caught a cred with easy-creds that cain didn't pick up. (port 389 traffic) Was able to crack the corp with it. Always great to have another tool in the bag like this script, thanks for sharing.

Re: Script for sniffing traffic.

Originally Posted by comaX

I don't think anything gets missed ; in all my test, i never missed anything, and nobody ever reported about not finding anything, so I believe it's efficient !

Well, I would just say it hasn't been tested enough places yet You'll find that different sites have diff values and though you've done a great job grabbing the most common, you'll find you'll need to continue to add to that egrep statement. How do you think Cain does it? It has a large set of values for username & password that it compares against.

You may not have the same defs file as easy-creds, but you are trying to do the same "magic" in your egrep/awk line of code. I know because I tried too and the best way, or what I found for me the most accurate way was to build a specific defs file. The defs file can and should be added to. I recently made a post on how to do it.

I've got a red team pt in a few weeks, I'll give your script a run and provide feedback. In the end though, I think you may end up succumbing to a defs file...perhaps one just more elegant than mine

Re: Script for sniffing traffic.

Originally Posted by ericmilam

Well, I would just say it hasn't been tested enough places yet You'll find that different sites have diff values and though you've done a great job grabbing the most common, you'll find you'll need to continue to add to that egrep statement. How do you think Cain does it? It has a large set of values for username & password that it compares against.

You may not have the same defs file as easy-creds, but you are trying to do the same "magic" in your egrep/awk line of code. I know because I tried too and the best way, or what I found for me the most accurate way was to build a specific defs file. The defs file can and should be added to. I recently made a post on how to do it.

I've got a red team pt in a few weeks, I'll give your script a run and provide feedback. In the end though, I think you may end up succumbing to a defs file...perhaps one just more elegant than mine

Yeah, I found your post about how adding them just yesterday, and it seemed pretty obvious... I don't know what I did wrong ! It's a great script you have there though, and my only problem with it really was that defs file ! But that's just a personal preference, I'm not saying it's bad

Your feedback will be very welcomed, I'm looking forward to reading it I'll give again a try to yours to, since I tested it a while ago.